LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-25-2008, 06:51 PM   #1
wspivak
LQ Newbie
 
Registered: Mar 2008
Posts: 4

Rep: Reputation: 0
Arrow Bind Iptables can't access out of localhost


I have Fedora 8. Iptables is up and running, working correctly for http, imap, pop, ssh and ftp.

I need to get dns up and running so I opened 53 (tcp and udp).

My dns is authoritative only, and if I access the dns server from localhost, it seems to work correctly (for a primary domain, I get appropriate answers from dig, for www_hp_com, I get pointers to the root servers).

However, if I try to use dig @ipaddress, I get:
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

If I try to telnet into the box from within, and use localhost, I get a connection, if I use the IP address or domain name, I get "connection refused".

I've tried this also from another computer on my LAN and from outside my upstream ISP.

Here's the kicker - I turn off iptables, and no change.

I'm obviously stumped. Anyone have any ideas?

Thank you (in advance)
 
Old 03-25-2008, 07:07 PM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
What addresses are you listening to in you bind config?

Perhaps post your config here. What distro are you using?
 
Old 03-26-2008, 06:22 AM   #3
wspivak
LQ Newbie
 
Registered: Mar 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post
What addresses are you listening to in you bind config?

Perhaps post your config here. What distro are you using?
Port 53.

iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10025
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Top of named.conf:

key "rndc-key" {
algorithm hmac-md5;
secret "xxx";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
channel default_debug {
file "/var/log/named.run";
severity dynamic;
};
};


options {
query-source port 53;
query-source-v6 port 53;
listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1
listen-on-v6 port 53 { ::1; }; #was ::1
directory "/var/named/";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };#was localhost
recursion no; #was yes
allow-recursion { 127/8; 192.168/16; 10/8; 172.16/12; };

query-source address * port 53;
notify-source * port 53;
transfer-source * port 53;
};

zone "." IN {
type hint;
 
Old 03-26-2008, 07:10 AM   #4
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Not what port, what address

Post

netstat -np --listen | grep :53

I think you've restricted yourself to 127.0.0.1 (listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1)

Edit - you may need a form more like "listen-on { 127.0.0.1; 192.168.1.1/24; };" replacing 192.168.1.1 with the relevant internal IP range

Last edited by billymayday; 03-26-2008 at 07:12 AM.
 
Old 03-26-2008, 08:28 PM   #5
wspivak
LQ Newbie
 
Registered: Mar 2008
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post

I think you've restricted yourself to 127.0.0.1 (listen-on port 53 { 127.0.0.1; }; #was 127.0.0.1)

Edit - you may need a form more like "listen-on { 127.0.0.1; 192.168.1.1/24; };" replacing 192.168.1.1 with the relevant internal IP range
Thank you, that was the trick - I'm now working from within and without my LAN.

Thanks again!!!!

Wayne
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
localhost bind will not resolve from other clients cwc Linux - Networking 3 01-17-2007 10:06 PM
cannot access localhost Rick809 Linux - Networking 3 08-02-2006 11:27 AM
iptables configuration for BIND bkesting Linux - Networking 4 01-27-2006 08:18 AM
iptables: if connected to localhost, forward to remote ip sl_king Linux - Networking 4 08-19-2005 06:52 PM
Iptables and Bind 9 carlosruiz Linux - Networking 1 02-01-2005 02:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 07:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration